This is a continuation from this post. Stage2 is different in that it’s waiting on user input with a call to fgets.
I started with just a simple string to observe the functionality.
You’ll notice it’s executing a xor on the first byte of our input string with the lowest byte in ecx. This part is a loop, the next byte it’ll xor with our string is created by adding and shifting bytes. I really didn’t want to waste time trying to reverse how it was creating these bytes so to be lazy I just gave it a very long string and documented all the byte values it tried to xor with my string.
Eventually I had the list of bytes.
{ 0x4E, 0x2F, 0x44, 0x1D, 0x5E, 0x3F, 0x54, 0x2D, 0x6E, 0x4F, 0x64, 0x3D, 0x7E, 0x5F, 0x74, 0x4D, 0x8E, 0x6F, 0x84, 0x5D, 0x9E, 0x7F, 0x94, 0x6D, 0xAE, 0x8F, 0xA4, 0x7D }
Once it runs a xor on all the bytes of our string the function will then go on to compare the results of every xor with some more bytes. If any of our results do not match the expected bytes then the function will return early.
Now that I know what bytes it will xor our string with and what bytes it expects as the result all I need to do is xor those two values together to expose the string needed to defuse Stage2. Here’s some code to do just that.
#include <Windows.h>
#include <iostream>
using namespace std;
int main()
{
BYTE xorResult[] = { 0x4E, 0x2F, 0x44, 0x1D, 0x5E, 0x3F, 0x54, 0x2D, 0x6E, 0x4F, 0x64, 0x3D, 0x7E, 0x5F, 0x74, 0x4D, 0x8E, 0x6F, 0x84, 0x5D, 0x9E, 0x7F, 0x94, 0x6D, 0xAE, 0x8F, 0xA4, 0x7D };
BYTE expectedResult[] = { 0x1A, 0x47, 0x2D, 0x6E, 0x7E, 0x56, 0x27, 0x0D, 0x04, 0x3A, 0x17, 0x49, 0x5E, 0x2B, 0x1C, 0x28, 0xAE, 0x0D, 0xE1, 0x3A, 0xF7, 0x11, 0xFA, 0x04, 0xC0, 0xE8, 0x8A, 0x77 };
BYTE decryptionpResult[sizeof(xorResult)] = { 0 };
for (size_t i = 0; i < sizeof(xorResult); i++)
{
decryptionpResult[i] = xorResult[i] ^ expectedResult[i];
printf("%c", decryptionpResult[i]);
}
printf("\n");
}
And here is the result.
Plugging in the string This is just the beginning. will successfully defuse Stage2. On to Stage3!
